Bug 645481 (CVE-2010-3376) - CVE-2010-3376 root: insecure library loading vulnerability
Summary: CVE-2010-3376 root: insecure library loading vulnerability
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-3376
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 645483
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-21 15:34 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:40 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-10-22 09:08:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-10-21 15:34:10 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3376 to
the following vulnerability:

The (1) proofserv, (2) xrdcp, (3) xrdpwdadmin, and (4) xrd scripts in
ROOT 5.18/00 place a zero-length directory name in the
LD_LIBRARY_PATH, which allows local users to gain privileges via a
Trojan horse shared library in the current working directory.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3376
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598419
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598420


Affected versions:
=================
This issue affects the versions of the root package, as shipped with
Fedora of release 12 and 13. Relevant scripts are in:

  BUILD/root-5.26.00d/config

One sample occurrence of insecure LD_LIBRARY_PATH re-set is in:

  BUILD/root-5.26.00d/config/xrootd.in:

    44         export LD_LIBRARY_PATH=$XRDLIBS:$LD_LIBRARY_PATH

  The above used re-setting of LD_LIBRARY_PATH variable is insecure.

Tomas Hoger suggests (https://bugzilla.redhat.com/show_bug.cgi?id=638384#c2)
the following one-liner as a solution:

  export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

You can also query Red Hat Bugzilla system for "insecure library loading
vulnerability" string, to get further information about all affected packages
and particular patches.

Also, prior scheduling particular "root" package Fedora v12 and v13 updates,
please check the whole content of the src.rpm package for similar deficiencies
via:

  grep -A2 -B2 -rHn "LD_LIBRARY_PATH" * | more

and fix (with above one-liner all of the insecure occurrences).
Comment 1 Jan Lieskovsky 2010-10-21 15:40:58 UTC 
Created root tracking bugs for this issue

Affects: fedora-all [bug 645483]
Comment 2 Mattias Ellert 2010-10-22 09:08:13 UTC 
This CVE is about a vulnerability in shell wrappers around some commands that
are used in the Debian packages. These wrappers are specific to Debian and the
vulnerability therefore does not affect Fedora.

According to the CVE the affected files (in Debian) are:

/usr/bin/proofserv
/usr/bin/xrdcp
/usr/bin/xrdpwdadmin
/usr/bin/xrd

The Fedora package uses the default wrapper from upstream for
/usr/bin/proofserv which does not have this issue.

The remaining three are not provided by root in Fedora, since xrootd has been
unbundled and is provided by a separate package. These three files as provided
by the xrootd-clients package are not shell wrappers that modify
LD_LIBRARY_PATH but the binaries themselves.


In addition - though not mentioned in the CVE itself, but in the bug description above - the xrootd start-up script from the root sources is not used since xrootd has been unbundled. The xrootd start-up script in the xrootd package, though based on the version in the root sources (since xrootd upstream doesn't provide their own), has already had the offending line removed.
Note You need to log in before you can comment on or make changes to this bug.